The purpose of this CXTech Week 40 2024 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech? The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.
You can sign up here to receive the CXTech News and Analysis by email or by my Substack. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.
Covered this week:
- Podcast 94: Truth in Telecoms, What to do about AIT, Kevin Graham and Daniel Gill
- TADSummit 2024 is less than 3 weeks away
- Everything is set for TADHack Global
- Welcome Video for TADHack Africa
- Welcome Video for TADHack Sri Lanka
- September RTC Security Newsletter
- The 6G Manifesto
Podcast 94: Truth in Telecoms, What to do about AIT, Kevin Graham and Daniel Gill
In Podcast 93 we reviewed AIT (Artificially Inflated Traffic) from an independent perspective. Feedback was complementary on the openness, depth, breadth, and forward looking discussion on the threat that is AIT to the whole ecosystem.
We reviewed the ecosystem, the responsibilities, what can and can not be done to enable compliance.
A common refrain from people who attend SMS industry events is the public discussion is on managing AIT. While the private discussions are focused on generating AIT. Should there be a code of conduct at events? But how can it be enforced? The sponsors paying the event organizers are in control?
We see that across many events, where notorious AIT generators present on how enterprises can protect themselves from AIT. We covered in Podcast 93 how enterprises are not in a position to protect themselves, they have no metrics, there is no governance. Codes of conduct do not work, they are window dressing.
Daniel raised the idea of independent certification bodies could hold CPaaS to account, like ISO, GDPR, etc. Kevin explained at MEF discussions on certification, with 28 people in attendance, the discussion always stalled on who pays? Especially as A2P SMS is a leaky bucket with many ways to introduce AIT and other gray traffic.
Daniel raised the idea of a push:pull model. With an accreditation certification from an independent audit. Or perhaps brands could publish their internal accreditation, like BT’s traffic light system with its A2P partners. But then other businesses could ride off their investment, so they will likely keep it private.
Google and Facebook are responsible for about half the A2P traffic. Because SMS lacks governance they can not audit the supply chain. Hence why Google has led passkey adoption to move their customers away from A2P SMS. Google in particular is a “telco”, they dominate RCS, employ the smartest people in the industry, so likely already have an anti-AIT strategy. The issue is letting SMS die on the vine is in their interests, given RCS and WhatsApp. Perhaps this is too negative an opinion?
The core elements of the ecosystem are Brands (Google and Meta (WhatsApp) are a special case as they are telcos), CPaaS, and Operators (Telcos).
The biggest risk with the biggest fines is exposure of consumer data. As Daniel mentioned that last week. Perhaps this should be the focus to motivate action?
There is a geographic diversity. In North America, within the next 3-5 years, RCS is likely to dominate with Google in control, with the cooperation of carriers. Remember, Google has suffered at the hands of CPaaS AIT, so their trust will be low with that part of the messaging ecosystem.
Can shame be a driver? Unlikely. Elon Musk shamed the industry, they shrugged and continued with AIT.
Kevin described the 3 channels: RCS (small but growing), SMS (decline by volume, static by revenue for now), and WhatsApp (growing).
The fraudsters call their category SMS Monetization, e.g. SMS firewalls. The commercial deals for SMS firewalls usually end up with the highest bidder, who use AIT to make that deal possible. Telco commercial decisions are not in the best interests of their operations.
BT’s lead in owning their firewall, an enforceable code of conduct, in addition to other processes has enabled a positive impact. Though it takes time to build out the carrier route, and the GSMA will likely add politics into the mix. Making coordination even slower.
This was an excellent review of the problem space. Next we’ll map it out and see if there’s a way to use consumer privacy as a driver, or perhaps Google/Meta could be motivated into action, or some of the other ideas mentioned. The answer is not easy, the current situation is unacceptable, and inaction accelerates the decline of SMS, and brings more focus on how to bring fraud into RCS and WhatsApp.
TADSummit 2024 is less than 3 weeks away
Thanks to TADSummit sponsors TSG Global, Inc. and Strolid, Inc. for understanding the importance of truth (no BS) for customers
Here are the agenda for 22nd October and 23rd October. The focus is the truly innovative stuff in programmable communications.
Since its founding in 2013 TADSummit has a stated policy of no BS. https://tadsummit.com/2024/policy/.
This has a number of outcomes. We’ve always had innovators who lead their field presenting at TADSummit. Those whose insights are often drowned out by large vendor marketing. Those who attend TADSummit, and are able to adopt the insights get bought, as the large vendors can not.
Today, there is a yawning gap between vendors / service providers, and their customers. As an example, remember last year when Elon Musk railed against telcos stealing $60M from Twitter using SMS?
It’s actually some CPaaS companies. And the customers being stolen from include most of the large brands, e.g. Google, Microsoft, Amazon, large banks and financial institutions, etc. That theft has not stopped in 2024, its hundreds of millions.
At TADSummit, no BS means we focus on the truth. Which is unfortunately rare at the moment. The PSTN is in the worst state it’s ever been with robocalling and spam SMS. I’ll stop there and instead focus on all the uplift content in the TADSummit Agenda. All times are US East Coast, NYC time.
A few highlights from Day 1 are:
- Raj presented at the first TADSummit in Bangkok in 2013. He’s gone on to found Wootag, a video marketing company whose time has come in making all the video content we generate integrated and interactive with our businesses. We stay connected with friends.
- Last year Unifonic shared how they build moats for each of their countries of operation. Matteo will expand on that strategy.
- Daniel from Augnet will share how the curse of AIT can be stopped.
- Kevin will share a post quantum view of security in programmable communications.
- The event sponsors, STROLID and TSG Global will share their keynotes before and after lunch. These are can not miss presentations.
- We’ll hear from TADS regular Sebastian Schumann on their latest successes.
- We wrap up the day with what I consider to be the most interesting AI Agent on the market, VAPI.
Agenda: 22 October
08:00 Wootag’s Journey. Raj Sunder, Founder and CEO Wootag
08:30 Conquer the world or win the customer? A cross road moment for CPaaS players seeking to shore up investor confidence. Matteo Gatta, Founder GenNoor, ex-CEO BICS
09:00 The 20+ year Governance and Certification Gap in A2P SMS. When is it Going to End?. Daniel Gill, Founder and CEO Augnet
0930 Can a new foreign owned business even enter the US market for messaging? Alex Kinch, Wholesale telecommunications expert
10:00 Realizing the Benefits of Business Identity for Optimal Consumer Contact. Gerry Christensen, Head of Caller ID Reputation® Partnerships and Expert in Communications Identity and Trust
10:30 Is Security in Programmable Communications ready for the post Quantum Era? Kevin Graham, Mobile Technology and Cloud Communications Leader Mobile Engagement | A2P Messaging | Network APIs | CPAAS
11:00 Webio: Revolutionizing Debt Conversations with Conversation Intelligence. Paul Sweeney, Co-Founder and Chief Strategy Officer, Webio
11:30 How Drachtio and Jambonz are changing the World of Programmable Telecoms. Dave Horton, Creator of jambonz, the open source voice gateway for CX/AI, and drachtio.org, the open source framework for SIP Server applications
SPONSOR KEYNOTE 12:00 Why TNID Matters. Noah Rafalko, Founder CEO TSG Global
12:30 LUNCH
SPONSOR KEYNOTE 13:00 The Rise and Rise of vCon. Thomas McCarthy-Howe, CTO STROLID, Innovating Automotive Conversations
13:30 SCITT and vCon AI governance for conversations, at scale. Steve Lasker, Director of Ecosystem DataTrails
14:00 Programmable Global Carrier Digital Services. Sebastian Schumann, Networks & Services International, Deutsche Telekom
14:30 Unified compliance for human and AI agents with Call Score. Surbhi Rathore, CEO & Co-Founder, Symbl.ai
15:00 By The Numbers. Alan Quayle, Founder TADSummit and TADHack, Independent Consultant, Focused on Reality not Marketing BS.
16:00 When are we going to get GPT4o (Her) in open source? Nikhil Gupta, Founder, CTO @ Vapi (YC W21)
Agenda: 23 October
08:00 Evolve or Get Left Behind, The Next Generation of CPaaS is Here. Dinesh Saparamadu, Founder and CEO, hSenid Mobile
08:30 Wadaro, how in-SIM software is revolutionizing telecoms. Robert Wakeling, Founder and CEO, Wadaro
09:00 Slash the Industry 4.0 Gordian Knot – Simplify Digital Transformation with Programmable Communications. Matthew D Smith, Chief Executive Officer, fieldcloud SAS
09:30 Understanding the Brands and their Messaging Needs. Holly ‘The SMS Queen’ Depies, SMS and Contact Center Technology Consultant.
10:00 Voice AI: Breaking Past the Bullshit. RJ Burnham, Founder & CEO at Consig AI.
10:30 Voxist’s Real Time Enterprise AI. Karel Bourgois, Founder & CEO Voxist, President Le Voice Lab, VP of Technology Hub France IA, Member of the AI Expert Panel Bibliothèques Sans Frontières · International Corporate and Administration Volunteer.
11:00 TADSummit Panel Discussion. Are LLMs about to disrupt enterprise SaaS (Software as a Service)? Karel Bourgois, Founder & CEO Voxist; Paul Sweeney, Co-Founder and Chief Strategy Officer, Webio; Lyle Pratt, Vida.io Founder & CEO; Nikhil Gupta, Founder, CTO @ Vapi (YC W21); RJ Burnham, Founder & CEO at Consig AI
12:00 The Future of Business Messaging. Scott Warner, Business Consultant
12:30 LUNCH
13:00 Telephone Consumer Protection Act for the International Audience. Eric Troutman, Czar of the TCPA, Tsar of the TSR, Telecom Attorney, Partner Troutman Amin, LLP, Founder TCPAWorld.com, Founder and President R.E.A.C.H
13:30 The Truth of RoboCalling in the US. Alex Quilici, CEO @ YouMail
14:00 Vida Voice AI. Lyle Pratt, Vida.io Founder & CEO
14:30 A2P Revenue Assurance, Carriers Can Take Back Control! Ivan Maksic, Poacher Turned Gamekeeper
15:00 Using speech-to-speech models in conversational chatbots. Rob Pickering, Internet and Real Time Communication Software Expert, Innovator, Advisor, Investor.
Everything is set for TADHack Global
Sponsored by Strolid, Inc. (#vCon) and TSG Global, Inc. (#TNID)
I added the pre-TADHack sessions to the Developer Resources Sections, on the TADHack website.
https://tadhack.com/2024/
You can start hacking whenever you like. Looking forward to seeing everyone’s hacks on 19-20th Oct. Results will be announced on 21st Oct.
TADHack Welcome Videos
Welcome Video for TADHack Africa
TADHack runs locations around the world. It’s the largest and longest running hackathon focused on programmable communications since 2013.
Here is the welcome video for hashtag#Africa, these are always fun as I can review the past 11 years of TADHacks and the contribution each location has made.
Africa has an amazing TADHack history, definitely the most diverse and colorful hackathons. We even made it onto breakfast TV news in South Africa. TADHacks have run in Johannesburg, South Africa, Lagos, Nigeria, Lusaka, Zambia, Dar Es Salaam, Tanzania, Kaduna, Nigeria, Nairobi, Kenya, Kampala, Uganda, and many more.
Welcome Video for TADHack Sri Lanka
TADHack runs locations around the world. It’s the largest and longest running hackathon focused on programmable communications since 2013.
Here is the welcome video for Sri Lanka, these are always fun as I can review the past 11 years of TADHacks and the contribution each location has made. Sri Lanka is a BIG contribution, not only to TADHack, but to innovations in telecommunications.
September RTC Security Newsletter
Another month, another RTC Security Newsletter to review 🙂
I’ll focus on the “Telco security: VoLTE vulnerabilities as well as SS7 hacking”. I also recommend you review the OWASP (Open Web Application Security Project) news.
SecurityGen has released a new white paper detailing key security issues they’ve identified in VoLTE (Voice over LTE) roaming environments. The paper highlights several critical concerns, including:
- VoLTE Subscriber Attack Vectors
- SIP Protocol Vulnerabilities in VoLTE
VoLTE Subscriber Attack Vectors
The primary security risks here revolve around unauthorized access to the IMS (IP Multimedia Subsystem) core network. Historically, core networks were treated like a “walled garden”—protected from unauthorized external access while being relatively open internally. However, a closer look reveals flaws in these assumptions.
When using a mobile phone with VoLTE, the device establishes multiple connections. The first is for general Internet access, and a second—dedicated to voice traffic—connects to the IMS core. This is the defining feature of VoLTE: voice communications over LTE infrastructure.
While most mobile operators assume that automatic configuration limits subscriber access solely to voice services, attackers can bypass these safeguards. A simple configuration change, such as switching from the standard Internet APN (Access Point Name) to the IMS APN, can give unauthorized users (even subscribers) direct access to IMS core elements. This kind of access opens a variety of potential attack vectors, allowing malicious actors to connect directly to services like SIP proxies, SBCs (Session Border Controllers), and even potentially other subscribers. Alarmingly, internal network services, like SSH or administrative interfaces, could become accessible if left improperly secured.
This situation isn’t necessarily a flaw but more a consequence of how VoLTE is designed: mobile devices need IP access to IMS core elements to process voice communication. In theory, it might be possible to restrict access from unauthorized devices, but implementing such restrictions in practice might be more challenging than it seems. Additionally, the paper highlights that some networks even allow IP spoofing, further broadening the attack surface.
To mitigate these risks, mobile providers must:
- Limit network traffic to only the essential services (SIP, RTP, IPsec).
- Prevent direct communication between subscribers on the network.
- Implement egress traffic filtering to block IP spoofing.
SIP Protocol Vulnerabilities in VoLTE
The white paper also addresses several vulnerabilities related to the SIP (Session Initiation Protocol) used in VoLTE environments:
- Sensitive Information Leaks: Misconfigured SIP proxies may reveal sensitive details like the International Mobile Equipment Identity (IMEI), device information, subscriber location (e.g., internal identifiers like cell-ID), and other private data.
- Flawed Anonymous Calling Features: Weak implementations of anonymous calling can inadvertently de-anonymize calls when analyzing SIP message headers.
- SIP Flooding and Denial of Service (DoS) Attacks: Lack of protection against SIP flooding attacks can lead to service disruptions, overwhelming the VoLTE network and causing mobile phones to malfunction.
The last point, in particular, poses a serious threat, as it could severely affect essential services that rely on uninterrupted call handling. At Enable Security, they’ve observed additional vulnerabilities and resilience issues, especially concerning media servers, which often remain inadequately protected.
Conclusion
The white paper offers a comprehensive overview of VoLTE vulnerabilities and covers more intricate details and attack vectors. If you’re interested in learning more, the full content is well worth a read. You can access it here, and a related webinar can be viewed on YouTube.
The 6G Manifesto
William Webb is a man on a mission to bring common sense back to telecoms. He’s published another book. His recommendation for 6G is to focus on coverage and cooperation. Not a repeat the phallocentric 5G standard. I see a similar silliness in Network APIs. Camille Mendler did a post on 5G reaching middle age, so I had some fun with an analogy to 5G combover.
I’ve become increasingly alarmed by the visions of 6G, which I’d summarise as “5G on steroids”. With 5G disappointing, such a vision seems certain to fail. So I’ve put together the book to discuss the visions from all the key players, to set out what’s actually needed, and to put forward a different vision, that would bring benefits.
William Webb
People, Gossip, and Frivolous Stuff
Scott Warner is has joined Mobilesquared Ltd as VP Commercial & Consulting. I’ve known Scott since his time at Tyntec. Scott will be speaking at TADSummit on 22-23 October.
Leslie Drewery is now Solutions Architect at Hooper Quinn. We’ve known each other for over a decade, he’s a regular TADHacker and won several times. Here’s one I particularly enjoyed, Memory Chat.
Simon Nainkin is now Vice President of Business Development at Clickatell.
Isabelle Mauny is now EU Field CTO / Chief Developer Advocate at WSO2. I’ve known Isabelle for over one decade, since her time at Vordel.
Carmen Boronat Badia is now Chief Executive Officer at Cloud District. I’ve known Carmen since her time at Opinno when we collaborated for first TADHack Global in 2014.
Paul Nikfarjam is now Chief Growth Officer at Global Solutions Group, Inc.
Nikita Gill is now Graduate Research Assistant at University of South Florida.
Bhagirath Pandya is now Manager – International Business Development at Intech Systems : Microsoft Solutions Partner.
Andrea Lemos is now Director, Conferences & Events at Sparks, A Freeman Company. I’ve known Andrea for over one decade, since her time at Metaswitch.
Attila Danku is now Head of Business Development. BrightHills specializes in exceptional software development services (150+ developers) for regulated industries like MedTech and FinTech.
Richard Pulliam is now SVP & GM, EHS & ESG at Wolters Kluwer. I’ve known Richard since his time at CA Technologies.
You can sign up here to receive the CXTech News and Analysis by email or by my Substack.